Tuesday, April 8, 2008

Two security updates has been released along with another batch of updates in Slackware-Current tree. Nothing major happened on this batch, except for iptables which gets a significant upgrade and also improvement to the installer to support installation from HTTP source with port number, such as: http://somehost:8080.

a/bzip2-1.0.5-i486-1.tgz: Upgraded to bzip2-1.0.5.Previous versions of bzip2 contained a buffer overread error that could cause applications linked to libbz2 to crash, resulting in a denial of service.For more information, see:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372(* Security fix *)

a/cryptsetup-1.0.5-i486-3.tgz: Make cryptsetup in /sbin and /usr/sbin both symlinks to /sbin/cryptsetup.static. This prevents "cryptsetup" failure if someone installs only the A package series. Thanks to Piter Punk.

ap/cdrtools-2.01.01a38-i486-1.tgz: Upgraded to cdrtools-2.01.01a38.

ap/dvd+rw-tools-7.1-i486-1.tgz: Upgraded to dvd+rw-tools-7.1.

ap/ghostscript-8.62-i486-4.tgz: Fixed cidfmap for printing with the wqy-zenhei.ttf font. Thanks to ABE Shin-ichi.

d/m4-1.4.11-i486-1.tgz: Upgraded to m4-1.4.11.In addition to bugfixes and enhancements, this version of m4 also fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code. For more information on these issues, see:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688(* Security fix *)

n/iptables-1.4.0-i486-1.tgz: Upgraded to iptables-1.4.0. Thanks to giovanni for testing this version and suggesting it as a safe upgrade.On x86, explicitly set i486 compile flags (though this is the compiler's default anyway). Thanks to kanedaaa.

xap/xfce-4.4.2-i486-4.tgz: Fixed the build script to apply a couple of bugfix patches correctly. Thanks to Carlos Corbacho for the bug report.Fixed xfcalendar.desktop (orage) to only show in the Xfce menus.Thanks to Frank Duignan for prompting me to take a closer look.

isolinux/initrd.img: Patched to fix expert mode FTP/HTTP installation, and to allow installation from HTTP source with port number, such as: http://somehost:8080Thanks to Dario Nicodemi for the bug report and patches, and to Eric Hameleers for making some adjustments to the HTTP port patch.

usb-and-pxe-installers/: Patched to fix expert mode FTP/HTTP installation, and to allow installation from HTTP source with port number, such as: http://somehost:8080Thanks to Dario Nicodemi for the bug report and patches, and to Eric Hameleers for making some adjustments to the HTTP port patch.